Preventing XSS

Question

Preventing XSS

terrorfall opened this issue 4 years ago · comments

Not sure if I'm missing something obvious here, but how do I prevent XSS?

I've been able to insert a script alert function into the database and I can't see anywhere to add the validator to prevent this.

Line 32 on src/resources/views/usersmanagement/show-user.blade.php

{!! trans('laravelusers::laravelusers.showing-user-title', ['name' => $user->name]) !!}

This should be {{ }} instead of {!! to prevent raw output

Thanks

Niraj Shah · Answer 1 · Fri May 22 2020 22:29:36 GMT+0800 (China Standard Time)

Looking at the code, there are several places where the code is rendering raw HTML instead of sanitized text. For example, the show-user.blade.php, Line 32 is using:

{!! trans('laravelusers::laravelusers.showing-user-title', ['name' => $user->name]) !!}

but should ideally be:

{{ trans('laravelusers::laravelusers.showing-user-title', ['name' => $user->name]) }}

If $user->name is not sanitised, it allows XSS issues like <script>alert('XSS');</script> being outputted on the page. There are a few instances of this issue in the code.

Jeremy Kenedy · Answer 2 · Fri May 22 2020 22:50:43 GMT+0800 (China Standard Time)

Validators are in the controller.

https://github.com/jeremykenedy/laravel-users/blob/master/src/App/Http/Controllers/UsersManagementController.php

It’s supposed to render raw HTML and xss is protected by the csfr token.

If you make a or to update the rules I accept it.

Niraj Shah · Answer 3 · Fri May 22 2020 23:06:13 GMT+0800 (China Standard Time)

Unfortunately, the CSRF token is not protecting against a user entering <script>alert('XSS');</script> into the "name" field. The blade will output this as a raw script tag allowing code execution.

Jeremy Kenedy · Answer 4 · Fri May 22 2020 23:13:12 GMT+0800 (China Standard Time)

If the rules are updated I will accept the pr.

Thanks

Jeremy Kenedy · Answer 5 · Sat May 23 2020 00:10:30 GMT+0800 (China Standard Time)

If I don't see a PR come across this AM I am going to take a closer look at this and its high priority.

Niraj Shah · Answer 6 · Sat May 23 2020 00:19:44 GMT+0800 (China Standard Time)

Sorry, I'm not using this library. I just discovered this issue in a project while conducting a security review. Depending on the use of the "name" field, the issue can be resolved using rule 'regex:/[a-zA-Z\-\' ]+$/' or built-in validation rule alpha_dash.

The regex rule allows any alpha characters as well as dashes, apostrophes and spaces, which should be sufficient for names.

Pete Simmons · Answer 7 · Sat May 23 2020 00:37:31 GMT+0800 (China Standard Time)

#65 PR submitted, might need further implementation around resource translation strings

Jeremy Kenedy · Answer 8 · Sat May 23 2020 00:44:09 GMT+0800 (China Standard Time)

Thank you both! Merged in #65

Jeremy Kenedy · Answer 9 · Sat May 23 2020 01:57:55 GMT+0800 (China Standard Time)

I also added strip_tags 44bee8a